A brief Kevin Mitnick tangent…

Taking a brief break from actual studying to take in some Kevin Mitnick. Kevin was an important figure in my younger days. I was associating with hackers and phone phreaks as early as high school. I was naturally curious, and very interested in technology and computers. Two exploits stand out in my mind.

In one, I social-engineered someone into sharing his Compuserve password with me, then logged in, changed the password and stayed online for two days straight, downing pitchers of powdered iced tea and eating peanut m&ms in bulk.

The other was far more serious. It’s probably a bad combination to have an interest in, and knowledge of, phone phreaking, and land a job at a telephone answering service. Somebody I knew knew somebody, and somehow I ended up working at a small answering service in the Wheaton, Maryland area. At first, everything was fine, I was excited to have a job and get paid.

Gradually, I let my guard down and began to take advantage of the situation. First, since I worked alone on weekends, I’d have my girlfriend over and get a little carried away in between calls. Second, I realized that the newer equipment, which did not have dialers or touch-tone buttons, nevertheless had a dialtone. I used the click method of pulse dialing and was able to get calls to go through. At my young age, I was naive enough to think that if it was an incoming-calls only line, then any outgoing calls made on them fell somehow outside the system and would never be noticed, tracked, or more importantly, billed.  I was wrong, oh so wrong. After making a number of calls to recorded information lines, some of them international, just because I could, I was brought into the office to discuss the matter.  It turns out that since it was an incoming calls only line, that did NOT mean that calls didn’t count. It meant that the customer did not choose a long distance service. I mean, why would they?  And do you know what happened when a customer did not choose a long distance service?  It happened to default on a very expensive service.  So the answering service got a very expensive bill, and invited me to explain what I did, why I did it, and most importantly, how I did it.

Apparently, they had worked out some sort of arrangement with my parents and the local military recruiter, and agreed that if I would talk to the recruiter, they would not press charges.  I talked to the recruiter, who told me I could be anything but a truck driver.  I was close, perilously close, to joining, when I realized that they COULDN’T force me to join; that there was no relationship between their threats and reality, or between law enforcement and the recruiter; and that by entertaining the recruiter, I had fulfilled my side of the bargain. I walked, and was never charged.

I kept a much lower profile after that, plus I found other interests to keep me out of the hacking and phreaking world for a while (girls, punk rock, girls, etc.).  But when the Mitnick thing happened, I was both aware and understanding. What happened to Kevin was very similar to what happened to a friend of mine. With my friend, he got arrested for LSD possession. When uninformed or aggressively corrupt agencies make drug busts, things can go wrong. He was charged with the entire weight of the LSD PLUS the medium on which it was delivered, which made it look like WAY more LSD than it actually was.  Similar to Kevin, accused of information theft in the many millions of dollars range, as though by merely looking at source code he can invalidate all of the R&D money that went into creating it.  I stand by my analogy.

I also went to at least one 2600 meeting in the general time period as the big bust happened at Pentagon City Mall — that notorious event which appears to have been orchestrated by the Secret Service where a bunch of hackers’ personal gear was confiscated. Though I wasn’t at that meeting, thank goodness. And I don’t think I was really close with any serious hackers. I read the magazines, I learned the tricks, but I had other things going on that prevented me from being a full-on lifestyle hacker.

Fast forward to now, when I’ve been in an infosec position for over nine years now, and performing infosec roles for significantly longer than that.  And this weekend, I finally got around to watching the 2600 film Freedom Downtime, a documentary about the Free Kevin movement, and about the terrible ordeal that Kevin had to endure, unfairly and unconstitutionally, because of the hype that a few people built up around him. There’s an extended interview with him as well from 2003, after things had cleared up for him.

I’m also reading his books. The Art of Intrusion has some great stories of exploits.

A few years back, I picked up one of his business cards somewhere. It’s a metal business card with an actual lockpick set cut out and ready to break off and use.  Genius.

Once I finish this book, it’s back to the studying grind for me. I just wanted to share, because reading and watching films about Kevin brought up memories of my own youthful hacker experiences.

Kindles are stupid; also, a review of “Basic Security Testing with Kali Linux 2” by Daniel Dieterle

I recently picked up “Basic Security Testing with Kali Linux 2” by Daniel Dieterle. Because of the price, I ordered it on the Kindle instead of a hard copy.  Plus I liked the idea of working tutorials with the Kindle rather than a book that needed to be held open.

Working through the book was engaging and fun. I followed along with the tutorials and the external download recommendations and continued tutorials, and enjoyed several exploits along the way.  It really helped to solidify my understanding of some of the tools in Kali, and when to use which tool.

I’m considering the intermediate book next. However, I’m confused by the Amazon listings.  According to Amazon, the Basic book was published in May 0f 2016, but the Intermediate book was published in November 2015.  I’d hate to think I’m buying an intermediate book that was already out of date…  So I’ll do some more research before pulling the trigger on that.

Meanwhile, I have a number of other security books in various digital formats: .pdf, .epub, etc.  I thought it would be useful to convert them to be usable on the Kindle.

Not as straightforward as one would suspect, and not as straightforward as vendor and open forums would lead oine to believe.

First, I copied all of them in their respective formats to the Documents folder on the Kindle.  Turns out, there are specific file types that are preferred by the Kindle.  So next, I converted them all to .mobi files and reuploaded them (via the USB cable, which is called sideloading).  They still did not show up on my home screen, which I was led to believe they would.

So I did some research.  Turns out, a lot of people have this problem. Some claim to have resolved it by converting the documents to .azw3 format, by uploading them one at a time, by performing strange sexual rituals with their kindle, or you get the idea.  There is no consistent solution that seems to work for everyone.

Beyond that, some say it’s not a problem at all, the Kindle just “needs time to index them.”  And you can find this out by searching your Kindle for a random string of characters. When you get no results found, click below on “Text in Books” to determine how many “Items Not Yet Indexed” are on your Kindle.  I currently have 23 books on mine that have not yet been indexed.  There does not seem to be an interface to manage or force the indexing.  Some say indexing takes minutes, others say hours.  Probably depends on the size of your books.

Actually there is a way to sort of force indexing.  Mount the Kindle via USB, go to <Drive:>\System\Search Indexes and delete everything in there, then eject it.  Now instead of 23 items, I have 53.  Yay.  Going to leave it like that for a while and see if that properly reindexes everything.

And… nope.  Indexed everything that was already there, but still hasn’t recognized the new content.  Fuck Amazon and their stupid-ass Kindles.

UPDATE: Finally found a post that mentions that sideloaded documents show up when you click “Downloaded” on the home screen.  How annoying and stupid.  They don’t show up under “All” — only under “Downloaded.”  Wouldn’t common sense tell you that “All” includes “Downloaded?”

I understand that Amazon has an incentive to make it more difficult toi upload non-Amazon material; after all, that’s their bread and butter. However, I’m not at all interested in spending a not-insignificant amount of money re-buying a number of books I already have.

Until I can resolve this issue, I’m far less likely to invest in Amazon Kindle content.

Kali Linux dumbassitude (on my part)

So I burned a recent copy of Kali Linux onto a stick, and was playing with it, then I decided I wanted a more permanent installation, so I went to one I had installed on a VM prior, without realizing that it was the older version.  I was wondering why apt-get update, apt-get dist-upgrade, and apt-get autoremove involved SO MANY PACKAGES and was fucking things up every time.

Turns out the image I had in my VM ISOs directory was 2016.1, and everywhere else was 2016.2.  I don’t even remember exactly when I downloaded that older version.  Couple hours wasted, should be back on track shortly.

Meanwhile, I found someone local who might be interested in putting together a local 2600 meetup.  That’s exciting.  Been a long time since I’ve been to a 2600 meeting.